Security

What is the minimum permissions I can give a user to input data into the KV Store via REST API?

ollie920049
Path Finder

So far I've tried the built in roles User/Power/Admin, but only Administrator worked.

I was wondering if anybody new the exact permission's required to insert data into a single app's KV Store via the REST API?

Thanks,
Ollie

florianhh
Explorer

Hey There,

i want to push this threat and ask if somethings changed since 2016? 

I have the same question, need to delete and post data to a KV store and do not want to grand Admin level permissions to a user just for that. 

Tags (2)
0 Karma

goodsellt
Contributor

I've gotten it working by giving the user I perform the read/writes with externally in Python write permission to the app the collection is defined/stored in within Splunk.

0 Karma

rharrisssi
Path Finder

All that's required now, is that the API user be a regular user, and given permissions to the collection.

1.) Set up user with normal permissions.
2.) Create the KV store.
3.) Edit default.meta in your metadata folder within your App manually. My example is of a KV Store "mykvstore" and the user as "myuser".

[collections/mykvstore]
access = read : [ * ], write : [ myuser ]
export = none
owner = myuser

Obviously step 3 can be completed via the GUI as well.

TonyLeeVT
Builder

Both power and admin roles work for this purpose, however it is difficult to figure out the minimum capabilities necessary. It would be ideal if we did not need to grant the power role if possible.

Creating a role with the "admin_all_objects" capability does seem to work, but I am wondering if it is possible to reduce this even further.

0 Karma

the_wolverine
Champion

admin_all_objects grants capability to "admin all objects" so it is not recommended, particularly if OP is asking for a way to grant minimum capabilities.

0 Karma

rharrisssi
Path Finder

Does anyone have any idea if this is even on Splunk's roadmap?

0 Karma

starcher
SplunkTrust
SplunkTrust

Did you make sure the user account had app level write permissions to the app context where the collection is stored?

0 Karma

rharrisssi
Path Finder

Yes, some time ago. See my comment below, I posted when I received a notification about an update to this.

0 Karma

phoenixdigital
Builder

I'd like to know the answer to this as well if you ever found out.

I have a python script which updates the KV stores via the REST interface and want to limit it to only be able to touch certain KV stores if possible.

Would these be enough?

  • rest_properties_get
  • rest_properties_set

and what is to stop this user from modifying something else apart from KV stores via the REST interface?

Edit: Those are not enough. I made sure kv_store user had a role with only those

When trying to clear the contents of the KV store via Python I get this error

Status Code 403
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">User 'test_importer' with roles { test_importer, kv_store_rest_interface_access } cannot write: /nobody/nvd_datafeeds/collections/cve_test {
 read : [ * ], write : [ admin ] }, export: global, removable: no</msg>
  </messages>
</response>

I also made sure that the role had permissions to write to this kv store. So not sure why the error says this

read : [ * ], write : [ admin ]

It should say this

read : [ * ], write : [ admin, kv_store_rest_interface_access ]

Checking my metadata/local.meta it contains

[transforms/cve_test]
access = read : [ * ], write : [ admin, kv_store_rest_interface_access ]
export = system
owner = nobody
version = 6.2.3
modtime = 1441344296.674109600
0 Karma

phoenixdigital
Builder

These capabilities for the role work

  • admin_all_objects
  • rest_properties_get
  • rest_properties_set

But obviously I don't want "admin_all_objects"

Giving ALL capabilities apart from "admin_all_objects" doesn't work either and gives the error.

Status Code 500
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">bad allocation</msg>
  </messages>
</response>
0 Karma

jkat54
SplunkTrust
SplunkTrust

@ppablo_splunk, hello sir. No clue where Ollie the op went but this is the correct answer IMHO.

0 Karma

ppablo
Retired

Let's also give the OP a chance to see these notifications and provide follow up if possible. @ollie920049, please follow up with the questions you ask here on Answers. This topic has gotten a lot of attention, but would be good to know if any of the responses above solve your immediate issue.

@jkat54 If you can get other folks in the community to vouch for it too (sharing this through IRC/Slack), then we can move forward with converting and accepting it if we don't hear back from the op.

0 Karma

jkat54
SplunkTrust
SplunkTrust

@phoenixdigital proved the permissions needed, and I agree with his solution. @ollie920049 was last seen May 7th this year so maybe he/she will come back, but the answer is correct regardless. You need admin_all_objects to write to kv store, and the other rest permissions to read/write to rest.

0 Karma

dolivasoh
Contributor

admin_all_objects is also required to use a secured SMTP relay for sending dashboard PDF's. I agree this grants way too much access and I've opened enhancement request #352759 to address it.

0 Karma

phoenixdigital
Builder

Also FWIW I can read the contents of the KV store via the REST interface.

I just can't write or delete from it.... unless I give admin permissions.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...